> So I've determined after two days of fighting with Squid that you can't
> password protect a reverse proxy, don't know why, but you can't.

You can, if you ask for it.

Edit src/acl.c and add the following line somewhere near the top:

#define AUTH_ON_ACCELERATION 1

Note however that you cannot use authorization both in the reverse
proxy/accelerator and the origin server at the same time. This is why
the feature is disabled by default. This is from a limitation in the
HTTP protocol and not much to do about.